Linux Secure Shell
Much of this information is from the secure shell website and is intended as a supplement for introductory purposes and an aid to enable users to get secure shell running.
Why you should use secure shell
When a user logs on to a Linux system using the standard telnet or ftp services, the password during the logon process is sent in the clear. Anyone with a network sniffer can intercept the password and then break into the system. Secure shell uses password encryption and implements several other important security measures which allows users to remotely logon to Linux systems without worrying about security.
Getting secure shell
Refer to the weblinks section under "Sites for specific programs" to locate secure shell documentation and downloadable copies of secure shell. Secure shell is a commercial product for corporate use, but may be used by individuals and educational institutions without charge. The secure shell website contains a FAQ section from which you can link to mirror sites for documentation and downloading.
Installation on Linux
Place the secure shell downloaded package in /usr/local/source and issue the following commands:
- Unpack the file with "tar xvzf ssh-2_2_0_tar.gz". The directory "ssh-2.2.0" will be created.
- Enter the directory with the command "cd ssh-2.2.0"
- Type "./configure" to configure the package for the build.
- Type "make" to build the package.
- Type "make install" to install the package.
- Optionally type "make clean-up-old" to remove *.old files.
This assumes you are installing from a source tarred and zipped file.
Installation on a Windows platform
- Double click on the SSHWin-2_2_0.EXE file that you downloaded. An install wizard will begin.
- Perform the install, reading and accepting the license agreement. The copy I tested was a 30 day evaluation copy.
- Click on "Start" -> "Programs" -> "SSH Secure Shell" -> "Secure Shell Client" to start the secure shell program. This program has an excellent help menu that can be activated by selecting "Help" -> "Contents".
- Click on "Edit" -> "Settings" , select "Connection" and enter your hostname and user name then click OK.
- Click on "Edit" -> "Settings" , select "User Keys" and click on the "Generate New Key Pair" button to generate a set of keys. You will need to enter a password phrase later required key authentication. This will take a few minutes, so this is a good time to start services on the host side.
- Start SSH on the host side. On Linux you can type "/usr/local/sbin/sshd2" on the command line. The program is normally installed in the /usr/local/sbin directory. To get the program to start at bootup, the above command may be placed in the /etc/rc.d/rc.local file.
- Logon from the Windows side by pressing ENTER or selecting "File" -> "Connect".
- Enter your Linux user name and the user password for your Linux account.
- Upload the public key file generated earlier to the users home directory ~/.ssh2 directory.
- Click on "Edit" -> "Settings" , select "Host Settings", and click "Browse" to locate the public key file generated earlier. It may be in C:\Program Files\SSH Communications Security\Users\computername\userkeys\user.pub.
- Click on "Window" -> "NewFileTransfer"
- Select "View" -> "Show Hidden Files"
- Enter the /$HOME/.ssh2 directory.
- Select "Operation -> "Upload"
- Create a file called "authorization" in the users $HOME/.ssh2 directory. You may use an editor with the string "Key" followed by the name of the file you upload ed or type the following:
- cd ~/.ssh2
- echo "Key username.pub" > authorization
- The next time you login, if you enter your password in the "Connect to remote Host" dialog box, you are using password authentication and must enter your Linux user's password. If you press ENTER when you see this box, you will be able to enter your pass phrase to use the private key for authentication.
Congratulations, you are done, unless you are interested in setting your Linux computer as a client. Also, if you are interested in using your Windows computer as a host, you may need another program (if one exists) since the above program is a Windows SSH2 client program.
Configuring SSH for Linux
This section and the sections below are useful if you want to connect from one Linux computer to another, or use a Linux on the client side. The following steps are documented in the README file and the SSH2.QUICKSTART file of the SSS package, but there are additional comments here which may be of some use. It is recommended, however, that you rely on the package documentation for correct documentation since programs change and the procedures may change.
You will be generating key sets to allow secure communications in the following steps. Keep in mind that on the server side, you will need a public key and an authorization file, and on the client side, you will need a private key and an identification file. The public key on the server and private key on the client must be a matching pair of keys as generated by the SSS-key gen program. You should know that you can use either host based authentication or user based authentication. If you use user based authentication, key files mentioned below must be set up in the user's home directory. If host based authentication is used, the host that is being authenticated, must have the appropriate key files. The instructions below set up user authentication.
- Be sure your computer has the device "/dev/random" which is used to generate keys. If it does not, you will need to use the ssh-keygen2 utility to generate security keys.
- Set up the following files (Note: The ~ symbol indicates the user's home directory):
- Files needed on the client host to login to a remote server host.
- ~/.ssh2/id_ds a_1024_a and ~/.ssh2/id_ds a_1024_a.pub - The first is a 1024 bit DSA private key and the second is a 1024 bit DSA public key. the second key may be distributed to other computers that you will want to log in on. The first key must be held only by the user.
Create these files while logged in as the user you want to create them for and type:
You will need to enter a password phrase. It will create the two files in the location shown above.
- ~/.ssh2/identification - Lists the private keys to be used for authentication. the contents of the file should be:
This can be created using an editor or by running the ssh-pubkeymgr script program. The following commands will also create this file:
id key id_ds a_1024_a
- cd ~/.ssh2
- echo "id key id_ds a_1024_a" > identification
- Files needed on the server host to enable users to login from a remote client host.
- Step 1, above, should be repeated on the server host to set up the user's .ssh2 directory, using a optionally different password phrase. Then the public key, id_ds a_1024_a.pub, must be copied to this directory on this server host. Perform step 2, above, if you want to use the remote machine to logon to other remote machines.
- Copy the public key file, "~/.ssh2/id_ds a_1024_a.pub" from the local host above to this remote host and call it "serverhostname.pub", placing it in the ~/.ssh2 directory.
- ~/.ssh2/authorization - Anyone holding any of the matching private keys to this public key may log in as the user whose public key their private key matches.
This can be created using an editor or by running the SSS-pubkeymgr script program. The following commands will also create this file:
- cd ~/.ssh2
- echo "Key serverhostname.pub" > authorization
Additional configuration files, that you may not need to be concerned about
- Files that may need configured:
- ~/ssh2/hostkeys/key_xxxx_yyyy.pub - The public host key for port xxxx of the host yyyy.
- ~/.ssh2/SSS_config - The client configuration file similar to the file /etc/ssh2/ssh2_config.
- ~/.ssh2/knownhosts/xxxxyyyy.pub - Public host keys where users will log in from for host based authentication. The ~./shosts or ~/.rhosts file must also be set up. See the SSH documentation for more information on this subject.
- /etc/hosts.equiv and /etc/shosts.equiv. See the ssh2 man page
- ~/rhosts and ~/shosts
- Files that should already be configured:
- /etc/ssh2/ssh2_config - This file is created by the "make install" command issued earlier.
- /etc/ssh2/hostkey.pub and /etc/ssh2/hostkey - Should be created by the "make install" command issued earlier, but it may be created by issuing the commands:
- rm /etc/ssh2/hostkey*
- ssh-keygen2 -P /etc/hostkey
See the ssh2_config and sshd2_config man pages for more configuration file format information.
SSH is now using SSH2 which has improved security over SSH1. The binary programs include:
- ssh2 - The secure shell client which replaces rlogin and rsh.
- sshd2 - The secure shell daemon.
- sftp2 - The secure shell FTP client.
- sftp-server2 - The secure shell FTP server which is executed from the sshd2 daemon program.
- scp2 - The scp client. I have no idea what scp is, as of right now.
- ssh-keygen2 - A utility for generating security keys.
- ssh-add2 - Adds identities to the authentication agent.
- ssh-agent2 - The authentication agent.
- ssh-askpass2 - X utility for quering passwords.
- ssh-signer2 - Signs host based authentication packets.
- ssh-probe2 - Probes a network for ssh2 servers.
- SSS-pubkeymgr - A script file utility program used to generate public keys.
- SSS-chrootmgr - A utility that makes it easier to set the chroot environment up.
Additional man page is "ssh2_config".